Andrea Danti - Fotolia
On 8 August 2017, the UK government launched a consultation on how best to implement the Network and Information Systems (NIS) Directive, which aims to increase the security of network and information systems across the EU.
UK technology firms should determine whether they are likely to fall within the scope of the legislation or if they are a significant supplier to another entity that qualifies as an operator of essential services.
For digital service providers, the UK government has confirmed that the NIS Directive applies, in a light touch manner, to: online marketplaces, online search engines, and cloud computing services.
The government has proposed detailed definitions of each type of digital service provider:
An online marketplace is defined as “a platform that acts as an intermediary between buyers and sellers, facilitating the sale of goods and services.” Online marketplaces are only in scope if sales are made on the platform itself, price comparison sites and online retailers are excluded.
An online search engine is “a digital service that allows users to perform searches of all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found”.
Read more about the NIS Directive
- UK mulls hefty fines for CNI providers with poor cyber security.
- With cyber crime on the rise, the European Union is trying to fight back with its NIS Directive.
- Coming European legislation on network and information security could have cost and organisational implications for a range of UK companies.
- EU legislators and member states agree a text for new cyber security rules that will introduce mandatory data breach notification.
“Digital Service Providers that employ fewer than 50 persons and whose annual turnover and/or balance sheet total do not exceed €10m are automatically excluded from the scope of the NIS Directive,” says the consultation. The wording used suggests both requirements must be fulfilled by a company in order to benefit from this exemption, though whether this is the UK government's intention remains to be seen.
In tune with other recent legislation such as the UK Bribery Act 2010 and the Modern Slavery Act 2015, it is expected that Digital Service Providers will also have a responsibility to drive compliance into their supply chain.
“There should be confidence that the security principles are met regardless of whether an organisation or a third party delivers the service,” says the consultation, emphasising the importance of “ensuring that appropriate measures are employed where third-party services are used”. Accordingly, while suppliers to digital service providers may not themselves be under an immediate compliance obligation, it is wholly foreseeable that, if their services touch a digital service provider's network and information systems, they will be contractually obliged to comply.
What are the key elements for digital service providers?
Digital service providers must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems. This covers the security of systems and facilities; incident handling, business continuity management, monitoring, auditing and testing, and compliance with international standards.
What these broad principles mean in practice is yet to be established. The consultation paper indicates that a series of further guidance will be issued from the government, the National Cyber Security Centre and the relevant competent authority, which is likely to be as closely linked to the guidance provided by the European Network and Information Security Agency (Enisa) as possible.
The incident reporting principles for digital services providers will be established by an Implementing Act produced by the European Commission. The UK government has indicated that the general principal is that digital service providers will be required to report incidents impacting supply, provision, confidentiality or integrity of the service.
It is proposed that the time within which a report will need to be made will have a window of 72 hours from becoming aware of the incident. The government has stated that the level of uncertainty at this stage makes it difficult to consult effectively so has proposed a smaller, targeted consultation following the production of the Implementing Act by the European Commission.
Who will oversee compliance of digital service providers?
The government proposed to nominate a competent authority to oversee implementation and compliance with the Directive. For digital service providers, this is the Information Commissioner’s Office (ICO). The competent authority will have the power to decide whether to publicise an incident, to obtain information required to assess compliance, to identify breaches of the directive and take enforcement action.
Digital service providers will be subject to a “lighter touch” application of the NIS Directive as regulation and enforcement can only be applied after an incident or if a company is reported to the ICO as being non-compliant with the directive.
What are the sanctions?
While the gestation of the directive has been in track with the EU General Data Protection Regulation (GDPR), the NIS Directive has largely remained in the shadow of the publicity surrounding the penalty regime set out for the GDPR. However, in the consultation paper, the government has indicated a desire to mirror the penalty regime of the GDPR by proposing two bands of penalties, with fines of up to €20m or 4% of global annual turnover (whichever is greater) for the more serious offence of failing to put in place effective cyber security measures.
The press release issued by the Department for Digital, Culture, Media and Sport (DCMS) suggests that a fine for the breach of the NIS Directive will be separate from and additional to any fines ordered under the GDPR. This could then mean that an organisation suffering from a cyber attack, which results in the loss of both services and data could face a “double liability” of fines of up to €40m.
It is also not clear whether related sanctions imposed by other regulators will be taken into account when determining the sanction for non-compliance.
The NIS Directive has largely gone unnoticed, and while most businesses are squaring up to the challenges of GDPR, compliance with the NIS Directive appears on few agendas.
Given that operators of essential services, including the defined Digital Service Providers, face the prospect of sanctions equal to those in the GDPR compliance with the NIS Directive as enacted should be high on the priority list.
While the principle focus is on those businesses falling within the defined scope of operator of essential services, key suppliers to those operators of essential services have to anticipate that they will be contractually obliged by their customers to comply with the enactment.